Friday, 05 August 2016 04:19

Chrome, Firefox Vulnerable to Crashes via Search Suggestions


Security researchers from Nightwatch Cybersecurity have discovered a way of crashing Chromium and Firefox browsers on mobile and desktop devices.

Their method relies on using the search suggestions feature that these browsers support. The issue is not a software bug, but a design implementation that allows their attack to be executed.

Most of today's browsers have a search field or allow users to search via the URL address bar. Based on the search engines supported inside the browser, search suggestions can be shown as the user types their query.

2GB search suggestion reply

Nightwatch security experts say that if the browser's search engine provider doesn't protect these search suggestions via an encrypted HTTPS channel, an attacker on the local network can intercept search suggestions queries and answer before the search provider.

An attacker can insert large chunks of data inside this response, which can lead to the browser or the operating system exhausting memory resources and eventually crashing.

The good news is that researchers weren't able to execute malicious code during these crashes, which would have caused more problems for browser makers.

During their tests, researchers managed to crash the Android stock browser on Android 4.4, Chrome 51 on Android 6.01, and Firefox 47 on Ubuntu 16.04. Additionally, they also crashed the entire Ubuntu 16.04 OS when running Chrome 51.

Not a security issue, so a bugfix is coming later during the year

In order for this crash to occur, as mentioned above, users need to use a browser built-in search provider that doesn't employ HTTPS. The list includes Ebay on Firefox, AOL and on Chrome, and Bing and Yahoo on Android's stock browser.

Internet Explorer, Edge, and Safari aren't affected by this issue. Safari had to deal with its own search-induced crash at the start of the year, so its reputation is not as clean as you might think.

The Android, Chrome, and Firefox teams declined to classify this bug as a security issue, since it actually isn't, meaning that a fix will be coming later rather than sooner.


Live Classes Schedule

There are no up-coming events


World's leading professional association of Internet Research Specialists - We deliver Knowledge, Education, Training, and Certification in the field of Professional Online Research. The AOFIRS is considered a major contributor in improving Web Search Skills and recognizes Online Research work as a full-time occupation for those that use the Internet as their primary source of information.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.